Test windows installer only.

This PR adds the following documentation improvements to fix https://github.com/certbot/certbot/issues/7958:

- Simplify building external plugins
- Separate out certbot snap instructions from plugin instructions
- Mention that dnsimple is just an example for the plugin instructions
- Mention remote build for other architectures
- Mention snap doc exists elsewhere in developer guide (`contributing.rst`)

* Set up generate_dnsplugins_all.sh for all files and parametrize snapcraft and postrefreshhook files

* Create constraints file in the generate_dnsplugins_all script

* Separate out plugin and certbot snaps and update instructions

* Add remote build instructions

* Add pointers to the README to contributing.rst

.azure-pipelines/templates/jobs/packaging-jobs.yml

@@ -1,55 +1,4 @@
 jobs:
-  - job: docker_build
-    pool:
-      vmImage: ubuntu-18.04
-    strategy:
-      matrix:
-        amd64:
-          DOCKER_ARCH: amd64
-        # Do not run the heavy non-amd64 builds for test branches
-        ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
-          arm32v6:
-            DOCKER_ARCH: arm32v6
-          arm64v8:
-            DOCKER_ARCH: arm64v8
-    steps:
-      - bash: set -e && tools/docker/build.sh $(dockerTag) $DOCKER_ARCH
-        displayName: Build the Docker images
-      # We don't filter for the Docker Hub organization to continue to allow
-      # easy testing of these scripts on forks.
-      - bash: |
-          set -e
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
-          docker save --output images.tar $DOCKER_IMAGES
-        displayName: Save the Docker images
-      # If the name of the tar file or artifact changes, the deploy stage will
-      # also need to be updated.
-      - bash: set -e && mv images.tar $(Build.ArtifactStagingDirectory)
-        displayName: Prepare Docker artifact
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: docker_$(DOCKER_ARCH)
-        displayName: Store Docker artifact
-  - job: docker_run
-    dependsOn: docker_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: docker_amd64
-          path: $(Build.SourcesDirectory)
-        displayName: Retrieve Docker images
-      - bash: set -e && docker load --input $(Build.SourcesDirectory)/images.tar
-        displayName: Load Docker images
-      - bash: |
-          set -ex
-          DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}:{{.Tag}}')
-          for DOCKER_IMAGE in ${DOCKER_IMAGES}
-            do docker run --rm "${DOCKER_IMAGE}" plugins --prepare
-          done
-        displayName: Run integration tests for Docker images
   - job: installer_build
     pool:
       vmImage: vs2017-win2016
@@ -103,7 +52,7 @@ jobs:
       # a recent version of pip, but we also to disable the isolated feature as described in
       # https://github.com/certbot/certbot/issues/8256
       - script: |
-          py -3 -m venv venv
+          python -m venv venv
           venv\Scripts\python -m pip install pip==20.2.3 setuptools==50.3.0 wheel==0.35.1
           venv\Scripts\python tools\pip_install.py -e certbot-ci
         env:
@@ -117,105 +66,3 @@ jobs:
           set PATH=%ProgramFiles(x86)%\Certbot\bin;%PATH%
           venv\Scripts\python -m pytest certbot-ci\certbot_integration_tests\certbot_tests -n 4
         displayName: Run certbot integration tests
-  - job: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    timeoutInMinutes: 0
-    variables:
-      # Do not run the heavy non-amd64 builds for test branches
-      ${{ if not(startsWith(variables['Build.SourceBranchName'], 'test-')) }}:
-        ARCHS: amd64 arm64 armhf
-      ${{ if startsWith(variables['Build.SourceBranchName'], 'test-') }}:
-        ARCHS: amd64
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-          sudo snap install --classic snapcraft
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadSecureFile@1
-        name: credentials
-        inputs:
-          secureFile: launchpad-credentials
-      - script: |
-          set -e
-          git config --global user.email "$(Build.RequestedForEmail)"
-          git config --global user.name "$(Build.RequestedFor)"
-          mkdir -p ~/.local/share/snapcraft/provider/launchpad
-          cp $(credentials.secureFilePath) ~/.local/share/snapcraft/provider/launchpad/credentials
-          python3 tools/snap/build_remote.py ALL --archs ${ARCHS}
-        displayName: Build snaps
-      - script: |
-          set -e
-          mv *.snap $(Build.ArtifactStagingDirectory)
-          mv certbot-dns-*/*.snap $(Build.ArtifactStagingDirectory)
-        displayName: Prepare artifacts
-      - task: PublishPipelineArtifact@1
-        inputs:
-          path: $(Build.ArtifactStagingDirectory)
-          artifact: snaps
-        displayName: Store snaps artifacts
-  - job: snap_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends nginx-light snapd
-          python3 -m venv venv
-          venv/bin/python letsencrypt-auto-source/pieces/pipstrap.py
-          venv/bin/python tools/pip_install.py -U tox
-        displayName: Install dependencies
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          sudo snap install --dangerous --classic snap/certbot_*_amd64.snap
-        displayName: Install Certbot snap
-      - script: |
-          set -e
-          venv/bin/python -m tox -e integration-external,apacheconftest-external-with-pebble
-        displayName: Run tox
-  - job: snap_dns_run
-    dependsOn: snaps_build
-    pool:
-      vmImage: ubuntu-18.04
-    steps:
-      - script: |
-          set -e
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends snapd
-        displayName: Install dependencies
-      - task: UsePythonVersion@0
-        inputs:
-          versionSpec: 3.8
-          addToPath: true
-      - task: DownloadPipelineArtifact@2
-        inputs:
-          artifact: snaps
-          path: $(Build.SourcesDirectory)/snap
-        displayName: Retrieve Certbot snaps
-      - script: |
-          set -e
-          python3 -m venv venv
-          venv/bin/python letsencrypt-auto-source/pieces/pipstrap.py
-          venv/bin/python tools/pip_install.py -e certbot-ci
-        displayName: Prepare Certbot-CI
-      - script: |
-          set -e
-          sudo -E venv/bin/pytest certbot-ci/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder $(Build.SourcesDirectory)/snap --snap-arch amd64
-        displayName: Test DNS plugins snaps

.azure-pipelines/templates/stages/test-and-package-stage.yml

@@ -1,6 +1,4 @@
 stages:
   - stage: TestAndPackage
     jobs:
-      - template: ../jobs/standard-tests-jobs.yml
-      - template: ../jobs/extended-tests-jobs.yml
       - template: ../jobs/packaging-jobs.yml

certbot/certbot/_internal/main.py

@@ -1109,7 +1109,9 @@ def run(config, plugins):
     cert_path = new_lineage.cert_path if new_lineage else None
     fullchain_path = new_lineage.fullchain_path if new_lineage else None
     key_path = new_lineage.key_path if new_lineage else None
-    _report_new_cert(config, cert_path, fullchain_path, key_path)
+
+    if should_get_cert:
+        _report_new_cert(config, cert_path, fullchain_path, key_path)
 
     _install_cert(config, le_client, domains, new_lineage)
 

certbot/docs/contributing.rst

@@ -375,6 +375,9 @@ The script used to generate the snapcraft.yaml files for our own externally
 snapped plugins can be found at
 https://github.com/certbot/certbot/blob/master/tools/snap/generate_dnsplugins_snapcraft.sh.
 
+For more information on building externally snapped plugins, see the section on
+:ref:`Building snaps`.
+
 Once you have created your own snap, if you have the snap file locally,
 it can be installed for use with Certbot by running:
 
@@ -534,6 +537,15 @@ Use of EFFOSCCP is subject to the `EFF Code of Conduct
 <https://www.eff.org/pages/eppcode>`_. When investigating an alleged Code of
 Conduct violation, EFF may review discussion channels or direct messages.
 
+.. _Building snaps:
+
+Building the Certbot and DNS plugin snaps
+=========================================
+
+Instructions for how to manually build and run the Certbot snap and the externally
+snapped DNS plugins that the Certbot project supplies are located in the README
+file at https://github.com/certbot/certbot/tree/master/tools/snap.
+
 Updating certbot-auto and letsencrypt-auto
 ==========================================
 

certbot/docs/using.rst

@@ -191,6 +191,7 @@ Once installed, you can find documentation on how to use each plugin at:
 * `certbot-dns-digitalocean <https://certbot-dns-digitalocean.readthedocs.io>`_
 * `certbot-dns-dnsimple <https://certbot-dns-dnsimple.readthedocs.io>`_
 * `certbot-dns-dnsmadeeasy <https://certbot-dns-dnsmadeeasy.readthedocs.io>`_
+* `certbot-dns-gehirn <https://certbot-dns-gehirn.readthedocs.io>`_
 * `certbot-dns-google <https://certbot-dns-google.readthedocs.io>`_
 * `certbot-dns-linode <https://certbot-dns-linode.readthedocs.io>`_
 * `certbot-dns-luadns <https://certbot-dns-luadns.readthedocs.io>`_
@@ -198,6 +199,7 @@ Once installed, you can find documentation on how to use each plugin at:
 * `certbot-dns-ovh <https://certbot-dns-ovh.readthedocs.io>`_
 * `certbot-dns-rfc2136 <https://certbot-dns-rfc2136.readthedocs.io>`_
 * `certbot-dns-route53 <https://certbot-dns-route53.readthedocs.io>`_
+* `certbot-dns-sakuracloud <https://certbot-dns-sakuracloud.readthedocs.io>`_
 
 Manual
 ------

certbot/tests/main_test.py

@@ -1281,13 +1281,16 @@ class MainTest(test_util.ConfigTestCase):
     @test_util.patch_get_utility()
     @mock.patch('certbot._internal.main._find_lineage_for_domains_and_certname')
     @mock.patch('certbot._internal.main._init_le_client')
-    def test_certonly_reinstall(self, mock_init, mock_renewal, mock_get_utility):
+    @mock.patch('certbot._internal.main._report_new_cert')
+    def test_certonly_reinstall(self, mock_report_new_cert, mock_init,
+                                mock_renewal, mock_get_utility):
         mock_renewal.return_value = ('reinstall', mock.MagicMock())
         mock_init.return_value = mock_client = mock.MagicMock()
         self._call(['-d', 'foo.bar', '-a', 'standalone', 'certonly'])
         self.assertFalse(mock_client.obtain_certificate.called)
         self.assertFalse(mock_client.obtain_and_enroll_certificate.called)
         self.assertEqual(mock_get_utility().add_message.call_count, 0)
+        mock_report_new_cert.assert_not_called()
         #self.assertTrue('donate' not in mock_get_utility().add_message.call_args[0][0])
 
     def _test_certonly_csr_common(self, extra_args=None):

tools/docker/build.sh

@@ -12,19 +12,6 @@ IFS=$'\n\t'
 #   given value is only the base of the tag because the things like the CPU
 #   architecture are also added to the full tag.
 
-# As of writing this, runs of this script consistently fail in Azure
-# Pipelines, but they are fixed by using Docker BuildKit. A log of the failures
-# that were occurring can be seen at
-# https://gist.github.com/2227a05622299ce17bff9b0da714a1ff. Since using
-# BuildKit is supposed to offer benefits anyway (see
-# https://docs.docker.com/develop/develop-images/build_enhancements/ for more
-# information), let's use it.
-#
-# This variable is set inside the script itself rather than in something like
-# the CI config to have a consistent experience when this script is run
-# locally.
-export DOCKER_BUILDKIT=1
-
 WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 REPO_ROOT="$(dirname "$(dirname "${WORK_DIR}")")"
 source "$WORK_DIR/lib/common"

tools/snap/README.md

@@ -1,7 +1,10 @@
-# Certbot Snaps
+# Building Certbot Snaps
 
 ## Local Testing and Development
 
+These instructions are recommended when testing anything about the snap setup for ease of debugging.
+The architecture of the built snap is limited to the architecture of the system it is built on.
+
 ### Initial VM Set Up
 
 These steps need to be done once to set up your VM and do not need to be run again to rebuild the snap.
@@ -15,31 +18,83 @@ These steps need to be done once to set up your VM and do not need to be run aga
  6. Install snapcraft with `sudo snap install --classic snapcraft`.
  7. `cd ~` (or any other directory where you want our source files to be)
  8. Run `git clone git://github.com/certbot/certbot`
- 9. `cd certbot`
+ 9. `cd certbot` (All further instructions are relative to this directory.)
 
-### Build the Snaps
+### Certbot Snap
 
-These are the steps to build and install the snaps. If you have run these steps before, you may want to run the commands in the section below to clean things up before building the snap again.
+#### Reset the Environment
+
+If the snap has been built before, the instructions below clean up the build environment so it can reliably be used again.
+
+ 1. `snapcraft clean --use-lxd`
+ 2. [Optional] `mv certbot_*_amd64.snap certbot_amd64.snap.bak`
+
+#### Build the Certbot Snap
+
+These are the steps to build and install the Certbot snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running `snapcraft` again will overwrite the previous snap).
 
  1. Run `snapcraft --use-lxd`.
  2. Install the generated snap with `sudo snap install --dangerous --classic certbot_*_amd64.snap`. You can transfer the snap to a different machine to run it there instead if you prefer.
- 3. Run `tools/merge_requirements.py tools/dev_constraints.txt <(tools/strip_hashes.py letsencrypt-auto-source/pieces/dependency-requirements.txt) > certbot-dns-dnsimple/snap-constraints.txt` (this is a workaround for https://github.com/certbot/certbot/issues/8100).
- 4. `cd certbot-dns-dnsimple`
- 5. `snapcraft --use-lxd`
- 6. Run `sudo snap set certbot trust-plugin-with-root=ok`.
- 7. Install the generated snap with `sudo snap install --dangerous certbot-dns-dnsimple_*_amd64.snap`. Again, you can transfer the snap to a different machine to run it there instead if you prefer.
- 8. Connect the plugin with `sudo snap connect certbot:plugin certbot-dns-dnsimple`.
- 9. Connect the plugin metadata with `sudo snap connect certbot-dns-dnsimple:certbot-metadata certbot:certbot-metadata`. Install the plugin again to test refresh; logs are at `/var/snap/certbot-dns-dnsimple/current/debuglog`.
- 10. Now you can run Certbot as normal. For example, `certbot plugins` should display the DNSimple plugin as installed.
 
-### Reset the Environment
+#### Run
 
-The instructions below clean up the build environment so it can reliably be used again.
+Run Certbot as normal. For example, `certbot plugins` should display the Apache and Nginx plugins.
 
-1. `cd ~/certbot` (or to an alternate path where you put our source files)
+### Certbot Plugin Snaps
-2. `snapcraft clean --use-lxd`
+
-3. `rm certbot_*_amd64.snap`
+These instructions use the `certbot-dns-dnsimple` plugin as an example, but all of Certbot's other plugin snaps can be built in the same way.
-4. `cd certbot-dns-dnsimple`
+
-5. `rm certbot-dns-dnsimple_*_amd64.snap`
+#### Reset the Environment
-6. `snapcraft clean --use-lxd`
+
-7. `cd ..`
+If the plugin snap has been built before, the instructions below clean up the build environment so it can reliably be used again.
+
+ 1. `cd certbot-dns-dnsimple`
+ 2. `snapcraft clean --use-lxd`
+ 3. [Optional] `mv certbot-dns-dnsimple_*_amd64.snap certbot-dns-simple_amd64.snap.bak`
+ 4. `cd ..`
+
+#### Build a Certbot Plugin Snap
+
+These are the steps to build and install the Certbot DNSimple plugin snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running `snapcraft` again will overwrite the previous snap).
+
+ 1. Run `tools/snap/generate_dnsplugins_all.sh` to generate all necessary files for all plugin snaps.
+ 2. `cd certbot-dns-dnsimple`
+ 3. `snapcraft --use-lxd`
+ 4. Run `sudo snap set certbot trust-plugin-with-root=ok`.
+ 5. Install the generated snap with `sudo snap install --dangerous certbot-dns-dnsimple_*_amd64.snap`. Again, you can transfer the snap to a different machine to run it there instead if you prefer.
+ 6. Connect the plugin with `sudo snap connect certbot:plugin certbot-dns-dnsimple`.
+ 7. Connect the plugin metadata with `sudo snap connect certbot-dns-dnsimple:certbot-metadata certbot:certbot-metadata`. Install the plugin again to test refresh; logs are at `/var/snap/certbot-dns-dnsimple/current/debuglog`.
+
+#### Run
+
+Run Certbot as normal. For example, `certbot plugins` should display the DNSimple plugin as installed.
+
+## Building for Other Architectures
+
+To build for an unavailable architecture or for multiple architectures simultaneously, we recommend using snapcraft's remote build feature.
+It is easiest to run this from a local machine.
+
+### Initial Local Setup
+
+ 1. Create or log into an Ubuntu One account [here](https://login.launchpad.net/).
+ 2. Install git and python with `sudo apt update && sudo apt install -y git python`.
+ 3. Install snapcraft with `sudo snap install --classic snapcraft`.
+ 4. `cd ~` (or any other directory where you want our source files to be)
+ 5. Run `git clone git://github.com/certbot/certbot`
+ 6. `cd certbot` (All further instructions are relative to this directory.)
+ 7. To trigger `snapcraft` to request access to your Launchpad account, run
+    `snapcraft remote-build --launchpad-accept-public-upload --status`. A URL where you need
+    to grant this access will be printed to your terminal and automatically open in your browser
+    if one is available.
+
+### Build Snaps Remotely
+
+Certbot provides a wrapper around snapcraft's remote build to make building all of our plugins easier. To see all available
+options, run `python3 tools/snap/build_remote.py --help`.
+
+For example, to build all available snaps for all architectures, run `python3 tools/snap/build_remote.py ALL --archs amd64 arm64 armhf`.
+
+To build only the certbot snap on only amd64, run `python3 tools/snap/build_remote.py certbot --archs armhf`.
+
+The command will upload the entire contents of the working directory, so if the remote build
+appears to hang, try using a clean clone of the `certbot` repository.

tools/snap/generate_dnsplugins_all.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Generate all necessary files for building snaps for all DNS plugins
+set -eu
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+CERTBOT_DIR="$(dirname "$(dirname "${DIR}")")"
+
+for PLUGIN_PATH in "${CERTBOT_DIR}"/certbot-dns-*; do
+  bash "${CERTBOT_DIR}"/tools/snap/generate_dnsplugins_snapcraft.sh $PLUGIN_PATH
+  bash "${CERTBOT_DIR}"/tools/snap/generate_dnsplugins_postrefreshhook.sh $PLUGIN_PATH
+  # Create constraints file
+  "${CERTBOT_DIR}"/tools/merge_requirements.py tools/dev_constraints.txt \
+    <("${CERTBOT_DIR}"/tools/strip_hashes.py letsencrypt-auto-source/pieces/dependency-requirements.txt) \
+    > "${PLUGIN_PATH}"/snap-constraints.txt
+done

tools/snap/generate_dnsplugins_postrefreshhook.sh

@@ -1,13 +1,13 @@
 #!/bin/bash
-# Generate the hooks/post-refresh file for all DNS plugins
+# Generate the hooks/post-refresh file for a DNS plugin
+# Usage: bash generate_dnsplugins_postrefreshhook.sh path/to/dns/plugin
+# For example, from the certbot home directory:
+#   tools/snap/generate_dnsplugins_postrefreshhook.sh certbot-dns-dnsimple
 set -eu
 
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+PLUGIN_PATH=$1
-CERTBOT_DIR="$(dirname "$(dirname "${DIR}")")"
+mkdir -p "${PLUGIN_PATH}/snap/hooks"
-
+cat <<EOF > "${PLUGIN_PATH}/snap/hooks/post-refresh"
-for PLUGIN_PATH in "${CERTBOT_DIR}"/certbot-dns-*; do
-  mkdir -p "${PLUGIN_PATH}/snap/hooks"
-  cat <<EOF > "${PLUGIN_PATH}/snap/hooks/post-refresh"
 #!/bin/sh -e
 # This file is generated by tools/generate_dnsplugins_postrefreshhook.sh and should not be edited manually.
 
@@ -31,4 +31,3 @@ if [ "\$exit_code" -eq 1 ]; then
   exit 1
 fi
 EOF
-done

tools/snap/generate_dnsplugins_snapcraft.sh

@@ -1,15 +1,15 @@
 #!/bin/bash
-# Generate the snapcraft.yaml file for all DNS plugins
+# Generate the snapcraft.yaml file for a DNS plugins
+# Usage: bash generate_dnsplugins_snapcraft.sh path/to/dns/plugin
+# For example, from the certbot home directory:
+#   tools/snap/generate_dnsplugins_snapcraft.sh certbot-dns-dnsimple
 set -e
 
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+PLUGIN_PATH=$1
-CERTBOT_DIR="$(dirname "$(dirname "${DIR}")")"
+PLUGIN=$(basename "${PLUGIN_PATH}")
-
+DESCRIPTION=$(grep description "${PLUGIN_PATH}/setup.py" | sed -E 's|\s+description="(.*)",|\1|g')
-for PLUGIN_PATH in "${CERTBOT_DIR}"/certbot-dns-*; do
+mkdir -p "${PLUGIN_PATH}/snap"
-  PLUGIN=$(basename "${PLUGIN_PATH}")
+cat <<EOF > "${PLUGIN_PATH}/snap/snapcraft.yaml"
-  DESCRIPTION=$(grep description "${PLUGIN_PATH}/setup.py" | sed -E 's|\s+description="(.*)",|\1|g')
-  mkdir -p "${PLUGIN_PATH}/snap"
-  cat <<EOF > "${PLUGIN_PATH}/snap/snapcraft.yaml"
 # This file is generated by tools/generate_dnsplugins_snapcraft.sh and should not be edited manually.
 name: ${PLUGIN}
 summary: ${DESCRIPTION}
@@ -52,4 +52,3 @@ plugs:
     content: metadata-1
     target: \$SNAP/certbot-shared
 EOF
-done